On Wed, Dec 15, 2010 at 09:29:53PM +0000, JR Aquino wrote:
> Thank you very much Nalin, at first glance these patches appear to solve
> what we are after.
>
> However, it looks like the master has drifted a little and these don't
> apply correctly.
>
> Could I ask you to do a quick spot-check and verify that we can apply
> these against the current master?
Looks fine from here. Attached are rebased versions, just in case.
Nalin
>From 4e74df79e41209296a81401f243d9f312f01dbc3 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <na...@redhat.com>
Date: Tue, 30 Nov 2010 18:25:33 -0500
Subject: [PATCH 1/2] sudo and netgroup schema compat updates
- fix quoting of netgroup entries
- don't bother looking for members of netgroups by looking for entries
which list "memberOf: $netgroup" -- the netgroup should list them as
"member" values
- use newer slapi-nis functionality to produce cn=sudoers
- drop the real cn=sudoers container to make room for the compat
container
---
install/share/bootstrap-template.ldif | 6 -----
install/share/schema_compat.uldif | 37 ++++++++++++++++++++++++++++----
ipa.spec.in | 2 +-
3 files changed, 33 insertions(+), 12 deletions(-)
diff --git a/install/share/bootstrap-template.ldif
b/install/share/bootstrap-template.ldif
index 4f10f07..81eb5d6 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -64,12 +64,6 @@ objectClass: top
objectClass: nsContainer
cn: sudorules
-dn: cn=SUDOers,$SUFFIX
-changetype: add
-objectClass: nsContainer
-objectClass: top
-cn: SUDOers
-
dn: cn=etc,$SUFFIX
changetype: add
objectClass: nsContainer
diff --git a/install/share/schema_compat.uldif
b/install/share/schema_compat.uldif
index 22e3141..52c8d5a 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -47,7 +47,6 @@ default:schema-compat-entry-attribute: objectclass=posixGroup
default:schema-compat-entry-attribute: gidNumber=%{gidNumber}
default:schema-compat-entry-attribute: memberUid=%{memberUid}
default:schema-compat-entry-attribute: memberUid=%deref("member","uid")
-default:schema-compat-entry-attribute:
memberUid=%referred("cn=users","memberOf","uid")
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
add:objectClass: top
@@ -56,14 +55,42 @@ add:cn: ng
add:schema-compat-container-group: 'cn=compat, $SUFFIX'
add:schema-compat-container-rdn: cn=ng
add:schema-compat-check-access: yes
-add:schema-compat-search-base: 'cn=ng,cn=alt,$SUFFIX'
-add:schema-compat-search-filter: !(cn=ng)
+add:schema-compat-search-base: 'cn=ng, cn=alt, $SUFFIX'
+add:schema-compat-search-filter: (objectclass=ipaNisNetgroup)
add:schema-compat-entry-rdn: cn=%{cn}
add:schema-compat-entry-attribute: objectclass=nisNetgroup
add:schema-compat-entry-attribute: 'memberNisNetgroup=%deref_r("member","cn")'
-add:schema-compat-entry-attribute:
'memberNisNetgroup=%referred_r("cn=ng","memberOf","cn")'
-add:schema-compat-entry-attribute:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})
+add:schema-compat-entry-attribute:
'nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})'
+
+dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
+add:objectClass: top
+add:objectClass: extensibleObject
+add:cn: sudoers
+add:schema-compat-container-group: 'cn=SUDOers, $SUFFIX'
+add:schema-compat-search-base: 'cn=sudorules, $SUFFIX'
+add:schema-compat-search-filter:
(&(objectclass=ipaSudoRule)(!(compatVisible=FALSE))(!(ipaEnabledFlag=FALSE)))
+add:schema-compat-entry-rdn: cn=%{cn}
+add:schema-compat-entry-attribute: objectclass=sudoRole
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%{externalUser}")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%deref_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%deref_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\"uid\")")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%%%deref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")'
+add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref(\"memberDenyCmd\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","!%deref_r(\"memberDenyCmd\",\"member\",\"sudoCmd\")")'
+add:schema-compat-entry-attribute: 'sudoRunAsUser=%{ipaSudoRunAsExtUser}'
+add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")'
+add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}'
+add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")'
+add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}'
# Enable anonymous VLV browsing for Solaris
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
only:aci: '(targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow
(read, search, compare, proxy) userdn = "ldap:///anyone";; )'
+
diff --git a/ipa.spec.in b/ipa.spec.in
index 95f6e10..764688f 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -91,7 +91,7 @@ Requires: libcap
Requires: selinux-policy
%endif
Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.15
+Requires: slapi-nis >= 0.21
Requires: pki-ca >= 1.3.6
Requires: pki-silent >= 1.3.4
Requires(preun): python initscripts chkconfig
--
1.7.3.3
>From c1e668bf3655bc2e6cbc3c2683e2ec2c057f4fb1 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <na...@redhat.com>
Date: Thu, 9 Dec 2010 15:31:13 -0500
Subject: [PATCH 2/2] sudo: treat mepOriginEntry hostgroups differently
- if a hostgroup named by the memberHost attribute is not also a
mepOriginEntry, proceed as before
- if a hostgroup named by the memberHost attribute is also a
mepOriginEntry, read its "cn" attribute, prepend a "+" to it,
and call it done
---
install/share/schema_compat.uldif | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/install/share/schema_compat.uldif
b/install/share/schema_compat.uldif
index 52c8d5a..fcd993a 100644
--- a/install/share/schema_compat.uldif
+++ b/install/share/schema_compat.uldif
@@ -78,7 +78,8 @@ add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","%
add:schema-compat-entry-attribute:
'sudoUser=%ifeq("userCategory","all","ALL","+%deref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%{externalHost}")'
add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%deref_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")'
-add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(objectclass=ipaHostGroup)\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","%deref_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEntry)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"fqdn\")")'
+add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntry))\",\"cn\")")'
add:schema-compat-entry-attribute:
'sudoHost=%ifeq("hostCategory","all","ALL","+%deref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")'
add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref(\"memberAllowCmd\",\"sudoCmd\")")'
add:schema-compat-entry-attribute:
'sudoCommand=%ifeq("cmdCategory","all","ALL","%deref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")'
--
1.7.3.3
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
